When the prospect of large monetary settlements is on the table, no business sector is secure from plaintiffs' attorneys. In this pattern, there is a growing campaign by the plaintiffs' bar to target data privacy and security in the hopes of striking it rich in a new goldmine on the level of the asbestos litigation of the 1970s, 1980s, and 1990s. In fact, four plaintiffs' firms, or 1.5 percent of the 240 firms that filed data privacy complaints in the period between the third quarter of 2013 and the third quarter of 2014, accounted for over a third of the complaints filed. The plaintiffs' bar appears to be taking advantage of the unfortunate reality that data breaches are becoming more commonplace, privacy laws and regulations in the U.S. are in flux, federal and state regulators are hungry for a new privacy framework, and consumers and citizens are confused about what protections, if any, apply to their information. In doing so, plaintiffs' attorneys are undertaking to expand regulation of and legal exposures for businesses in this area and also are stretching old laws to address new situations involving privacy in unintended ways.

This newly released research addresses how the plaintiffs' bar is adapting to and taking advantage of the ever-changing data privacy and security legal landscape. It explores major privacy cases and settlements, showing how the plaintiffs' bar is targeting breaches and other privacy violations. It also profiles the major firms that bring a large proportion of the cases-including Edelson PC and Lieff Cabraser Heimann & Bernstein LLC-along with the tactics they are employing to create privacy cases and take aim at defendants, and the theories that they have been testing in the courts. This paper concludes with a suggested framework for reform.